kAudit Integrations and Findings Exporting

This guide explains how to configure kAudit findings export to 3rd party system via kAudit UI. For ConfigMap & Secret based configuration click here

Integration Types

Alcide kAudit processes Kubernetes Audit logs, identifies anomalies in the observed activity, and reports such anomalies, as well as audit entries matching user-defined policy rules. The detected anomalies in the audit log, as well as the audit entries matching the user’s policy, may be exported for integration with external systems and consumption channels. Alcide kAudit supports several types of integrations with external endpoints:

Integration Type

Description

Integration Type

Description

HTTP API

kAudit findings are pushed to a standard HTTP endpoint in Json format. An HTTP endpoint is configured with its URL. If a specific authentication header is required for the HTTP messages, the authentication header’s name and the token value should also be configured. See additional details here. May be used for integration to:

  • Sumologic integration: URL https://<SumoEndpoint>/receiver/v1/http/<UniqueHTTPCollectorCode>, as described here.

  • CoraLogix integration: URL https://api.coralogix.com/api/v1/logs, with the private key as token, as described here.

  • NewRelic integration: URL https://insights-collector.newrelic.com/v1/accounts/<ACCOUNT_ID>/events, with header X-Insert-Key and the Insert API key as token, as described here.

  • Logz.io integration: https://<LISTENER-HOST>:8071 as described here and here.

  • Splunk integration: as described here.

  • Elasticsearch integration: as described here.

Syslog

kAudit findings are pushed to a standard Syslog endpoint. The host name of the Syslog server must be configured, and the default syslog port may be overridden. The syslog message may be sent either over UDP or TCP

Slack

kAudit findings (detections and policy violations) are pushed to the user’s Slack channel. The channel is configured with its webhook URL.

Azure Sentinel

kAudit findings are pushed to Azure Monitor and Azure Sentinel. The Azure Workspace ID and Shared Key must be configured

AWS S3

kAudit findings are pushed to an AWS S3 bucket. AWS credentials, region and bucket name must be configured. A prefix for the name of the created resources in the bucket (“directory”) may also be configured, as well as content type (CSV or Json) and compression. Encryption using KMS may also be configured

Datadog

kAudit findings are pushed to a standard Datadog HTTP endpoint in Json format. An HTTP endpoint is configured with its URL.

AWS Security Hub

Please refer to AWS Security Hub Integration Guide

Add New Findings Export

Choose the integration page from kAudit application menu and click ‘Add New Integration’

 

Exporting Detections Findings

To export the anomalies in the audit traffic detected by kAudit, select one of the integrations types and set the related endpoint. You may set a filter on the detections that will be sent to the integration endpoint. Only detections matching all conditions will be exported. Configurable filters:

  • Entity type: select one or more of cluster, principal or resource.

  • Category: select one or more of incident or anomaly.

Json message schema

Field

Description

time

Detection time

alert-uid

Detection instance identifier

category

Detection category, one of: anomaly or incident. (An incident is a combination of several related anomalies on the same entity at the same time).

project

(optional) For a GKE cluster: the GKE project identifier

cluster

Kubernetes cluster identifier. 

For a GKE cluster: the GKE cluster identifier

For other types of clusters: user-configured cluster name.

etype

Entity type for which an anomaly was detected. Currently one of: cluster (the aggregation of all audited activities), principal (an audited action’s initiator) or resource (an audited action’s target).

eid

Entity id for which an anomaly was detected. 

For a principal: may be a service account name, an email, an IP address.

For a resource: the k8s resource name.

confidence

Detection confidence, one of: high, medium, low.

short-doc

High level detection description.

doc

Detailed detection description.

context

(optional) Context of the activity pattern, like samples of observed values of an audit entry attribute.  

reasons

(optional) Additional information about the reasons that flagged the activity pattern as anomalous. For an incident instance, includes alert-uids of the related anomalies instances.

 

Exporting Audit Violations

To export audit entries matched by the user-configured policy, select one of the integrations types and set the related endpoint parameters.

You may set a filter on the policy-matching audit events that will be sent to the integration endpoint. Only events on matching all conditions will be exported. Configurable filters:

  • Report: You may configure “details” content, meaning every audit entry matching any of the rules, or “Count” content, which periodically reports the number of audit entries that match each rule.

Json message schema

If “periodic summary” report content is chosen, the message contains the following fields. Some of these fields are related to the content of the original entry in the audit log, so they may not show up in every entry. 

Field

Description

time

Detection time

project

(optional) For a GKE cluster: the GKE project identifier

cluster

Kubernetes cluster identifier. 

For a GKE cluster: the GKE cluster identifier

For other types of clusters: user-configured cluster name.

rule

Name of rule in the user’s policy that the audit entry matched.

principal

May be a service account name, an email, an IP address.

caller-ip

IP from which the API server request was received

caller-ip-asn

ASN of IP from which the API server request was received

caller-ip-country

Country code of IP from which the API server request was received

resource-namespace

K8s namespace of resource addressed by the request

count

The number of audit event that match the rule in a period

count-period

The duration of the period in milliseconds


If “details” report content is chosen, the following fields are sent in the message. Some of these fields are related to the content of the original entry in the audit log, so they may not show up in every entry.

Field

Description

time

Detection time

project

(optional) For a GKE cluster: the GKE project identifier

cluster

Kubernetes cluster identifier. 

For a GKE cluster: the GKE cluster identifier

For other types of clusters: user-configured cluster name.

rule

Name of rule in the user’s policy that the audit entry matched.

principal

May be a service account name, an email, an IP address.

caller-ip

IP from which the API server request was received

caller-ip-asn

ASN of IP from which the API server request was received

caller-ip-country

Country code of IP from which the API server request was received

api-group

K8s API group addressed by the request

resource-namespace

K8s namespace of resource addressed by the request

resource-type

k8s type of resource addressed by the request

resource-name

Name of k8s resource addressed by the request

subresource

Name of k8s subresource (usually a remote operation on a pod) addressed by the request (e.g. exec for remote shell, attach, portforward, log)

subresource-exec-command

The remote command that is wrapped by an ‘exec’ command to a pod.

subresource-exec-container

The container within the pod that an ‘exec’ command addresses.

uri

URI addressed by the request

unusual-uri

URI addressed by the request which does not match a k8s URI

verb

The k8s verb is the request

access-type

The type of requested action on the k8s resource: read (verb is get, get-list) vs. write (verb is create, update, delete, patch)

caller-supplied-user-agent

The base user-agent associated with the request. Some parts of the user-agent string may be extracted to additional fields, like ua-kubectl, ua-keubernetes etc.

original-user-agent

The user-agent associated with the request.

user-id

User ID.

username

User name.

user-groups

User groups.

user-access-key-ids

Extra AWS Access Key IDs used in authentication

impersonated-principal

Impersonated principal.

impersonated-user-id

Impersonated user ID.

impersonated-username

Impersonated user name.

impersonated-groups

Impersonated groups.

impersonated-access-key-ids

Extra AWS Access Key IDs used in impersonation

status

Request status

status-code

Numeric request status code

status-reason

Request status string

non-authorized

Boolean true if request was not authorized

images

Container images affected by request

pod-security-context

Summary of Pod Security configuration modified by request (e.g. Deployment creation, update or patch)

containers-security-contexts

Summary of all Container Security configurations modified by request

containers-ports

Summary of all Container Port configurations modified by request

modified-role-binding-namespace

Namespace of Role Binding configuration modified by request

modified-role-binding-name

Name of Role Binding configuration modified by request

modified-role-binding-role-name

Role name in Role Binding configuration modified by request

modified-role-binding-subjects

Subjects in Role Binding configuration modified by request

modified-role-namespace

Namespace of Role configuration modified by request

modified-role-name

Name of Role configuration modified by request

modified-role-rules

Summary of rules in Role configuration modified by request

 

Exporting Audit Activity

This integration may be used to export all audit entries. As described in other integrations, select one of the integrations types and set the related endpoint parameters.

Json message schema

Similar to schema of “details” message of audit violations export (see previous section) without the “rule” field.